analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

WWVISIT.rar

Full analysis: https://app.any.run/tasks/0e757b87-2c10-4499-9ebc-8088d452537f
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: June 27, 2022, 11:55:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

4A7A104DA0C55BABBF7FADBE02C72B97

SHA1:

75A2F09EEED9F9A3C3D34E1906DD47DDB0A57DE1

SHA256:

BE844BC0714032C40E0DB886EAB6CE15BB50C76B94B7E531D32EE82A53169473

SSDEEP:

196608:+pggWu+Yl7IZQYkVqHGxmijljb9OHr6Dyq+WH6Ghefn9nToiUnlYqzZbVOg4J5lZ:+pquSOY+qmg+K6eTBQlYku

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 4080)

    • Loads dropped or rewritten executable

      • WWVISIT.exe (PID: 3260)

    • Application was dropped or rewritten from another process

      • WWVISIT.exe (PID: 3260)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 4080)
      • WWVISIT.exe (PID: 3260)

    • Reads the computer name

      • WinRAR.exe (PID: 4080)
      • WWVISIT.exe (PID: 3260)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 4080)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4080)

  • INFO

    • Reads settings of System Certificates

      • WWVISIT.exe (PID: 3260)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 4080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe wwvisit.exe

Process information

PID
CMD
Path
Indicators
Parent process
4080"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\WWVISIT.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3260"C:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\WWVISIT.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\WWVISIT.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Total events
3 496
Read events
3 478
Write events
18
Delete events
0

Modification events

(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4080) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\WWVISIT.rar
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4080) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
28
Suspicious files
1
Text files
3
Unknown types
15

Dropped files

PID
Process
Filename
Type
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\data\project.xmlxml
MD5:98355FF1EB07A66F255C3805E030A8A7
SHA256:800B5733E29B12BB245B97A5E2E65F2D361F70780E644ECA9038313BE0BEC0DD
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\imageformats\qico.dllexecutable
MD5:EDDF7FB99F2FCAEA6FE4FD34B8FD5D39
SHA256:9D942215A80A25E10EE1A2BB3D7C76003642D3A2D704C38C822E6A2CA82227BF
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\D3Dcompiler_47.dllexecutable
MD5:E6945CCEEFC0A122833576A5FC5F88F4
SHA256:FB8D0049F5DD5858C3B1DA4836FB4B77D97B72D67AD951EDB48F1A3E087EC2B1
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\data\remote_settings.initext
MD5:6C8B0641D4D019DA8F99339DE19DA7CA
SHA256:78EFB7D5F66CCE1C0DE86A764BC48450B929DF61849280B861FB0DB2128B2A37
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\bearer\qgenericbearer.dllexecutable
MD5:DBA35D31C2B6797C8A4D38AE27D68E6E
SHA256:086D6BA24F34A269856C4E0159A860657590D05AABB2530247E685543B34C52F
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\libEGL.dllexecutable
MD5:379358B4CD4B60137C0807F327531987
SHA256:0FF1D03926F5D9C01D02FAE5C5E1F018A87D7F90A1826DE47277530BFC7776F8
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\imageformats\qwebp.dllexecutable
MD5:F859ECC883476FE2C649CEFBBD7E6F94
SHA256:B057C49C23C6EBE92E377B573723D9B349A6EDE50CFD3B86573B565BF4A2AE0B
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\imageformats\qicns.dllexecutable
MD5:52C6978203CA20BEEAD6E8872E80D39F
SHA256:E665F3519309BAE42E0E62F459ECC511701DDDDF94599EBFD213D0A71775C462
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\imageformats\qgif.dllexecutable
MD5:C108D79D7C85786F33F85041445F519F
SHA256:D5459A707922DD2BF50114CC6718965173EE5B0F67DEB05E933556150CFDD9D1
4080WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4080.9893\WWVISIT\imageformats\qdds.dllexecutable
MD5:3FDB8D8407CCCFAA0290036CC0107906
SHA256:3A71A119EEABCE867B57636070ADEB057443A6EC262BE1360F344CB3905545DB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3260
WWVISIT.exe
51.38.126.82:443
bablosoft.com
GB
suspicious

DNS requests

Domain
IP
Reputation
bablosoft.com
  • 51.38.126.82
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Bablosoft BAS Related Domain in DNS Lookup (bablosoft .com)
Potentially Bad Traffic
ET TROJAN Observed DNS Query to bablosoft Domain (bablosoft .com)
3260
WWVISIT.exe
Potentially Bad Traffic
ET INFO Observed Bablosoft BAS Related SSL Cert (bablosoft .com)
3260
WWVISIT.exe
Potentially Bad Traffic
ET INFO Observed Bablosoft BAS Related SSL Cert (bablosoft .com)
3260
WWVISIT.exe
Potentially Bad Traffic
ET INFO Observed Bablosoft BAS Related SSL Cert (bablosoft .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
WWVISIT.rar